Sex sites out, IT sites in for cybercrooks planting malware

Ellen Messmer |
Feb. 13, 2013

It's long been a tactic by cybercriminals to load up compromised websites with malware-laden links to snare victims, but instead of it being the sex sites as of old, the favored type of website now is for information technology, according to analysis in the Websense threat report out today.

It's long been a tactic by cybercriminals to load up compromised websites with malware-laden links to snare victims, but instead of it being the sex sites as of old, the favored type of website now is for information technology, according to analysis in the Websense threat report out today.

According to analysis based on its ThreatSeeker technology and other means, 85% of malicious Web links last year were found on legitimate hosts that had been compromised, up from 82% the year before. Cybercriminals are finding the value in infiltrating computers of enterprises by subverting anything remotely related to information technology, from vendor websites to content like blogs and news, says Chris Astacio, research manager at Websense.

In addition, businesses today that do Web filtering are usually blocking access to porn and gambling sites, whereas they're reluctant to limit access to any site related to IT because it might cut into productivity. After the category of "information technology," the most targeted websites for malware links were for "business and economy."

The top countries hosting malware are the United States, the Russian Federation and Germany, the report points out. And the top three "victim" countries are the U.S., France and the United Kingdom. And of course, spam remains the attacker's trajectory to reach victims, with only 1 in 5 emails considered safe or legitimate, according to the Websense report. The U.S. also must be counted as the top country for hosting phishing emails last year, followed by the Bahamas and Canada.

Once a victim's machine has been compromised, there's the likelihood that sensitive information would be transferred out of the enterprise network by the attacker through a system of so-called command and control (CnC) servers. In examining where these have been seen, Websense used a customized sandboxing method to detect attempted attacks against its customers. According to Websense, the top countries hosting CnC servers are China, the U.S. and Russia, which together are said to account for about half of all detected activity of this kind.